#tor-meeting log

19:00:39 <GeKo> #startmeeting tor browser sandboxing 11/30
19:00:39 <MeetBot> Meeting started Fri Nov 30 19:00:39 2018 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:39 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:00:45 <GeKo> hello everyone!
19:01:05 <sysrqb> hi! i'm going afk now for another 2 min
19:01:11 <GeKo> we thought it would be a good idea to do a sync before mozilla all hands about our sandboxing plans
19:01:14 <sysrqb> anyone else here? :)
19:01:27 <GeKo> probably tjr
19:01:28 <tjr> I'm here. Do we have a pad? I have notes to paste somewhere :)
19:01:34 <GeKo> not yet
19:01:40 <GeKo> let me create one
19:02:16 <mcs> I’m here too.
19:03:01 <GeKo> https://pad.riseup.net/p/tor-browser-sandboxing-11-30
19:03:36 <sysrqb> okay, bad timing. here now.
19:03:39 <GeKo> okay back to the topic while we wait for sysrqb
19:03:39 <sysrqb> woo people :)
19:03:50 <GeKo> ah, you are back, good
19:03:59 <GeKo> let me just put some resources in this chat
19:04:27 <GeKo> https://lists.torproject.org/pipermail/tbb-dev/2018-July/000893.html is the mail summarizing our last meeting (which feels like ages ago)
19:04:52 <GeKo> it (and the following discussion) outlined some possible ways forward on *all* of our platforms
19:04:58 <GeKo> (from a birds-eye-view)
19:05:19 <GeKo> then https://bugzilla.mozilla.org/show_bug.cgi?id=1510416 might be interesting for the near future
19:05:46 <GeKo> gps and other mozilla folks have added some ideas in this bug
19:06:01 <GeKo> which might be worth thinking about and aligning with what we want to do
19:06:13 <GeKo> that said, sysrqb you have the stage
19:06:32 <tjr> 1510416 is solely about how firefox gets built; which is not very relevant for tor, i don't think, since it already gets built in a vm
19:06:58 <GeKo> ah, okay, then i misread that one
19:06:59 <tjr> (I don't know if there are known vm escapes you're concerned about though)
19:07:10 <sysrqb> that sounds like tor-browse- build?
19:07:20 <GeKo> yeah, if so this is orthogonal, then though
19:07:22 <GeKo> yes
19:09:00 <sysrqb> i was also cc'd on a bug for multi-process firefox on android...but i'm still looking for that link
19:09:59 <sysrqb> i think? or maybe i imagined it
19:10:03 <sysrqb> in any case
19:11:26 <sysrqb> so in the thread from july, tjr had good input on the sandboxing model sandboxed tor browser used
19:11:50 <sysrqb> i see we now have notes on the pad
19:13:40 <tjr> Yea, that's just what I brought to the meeting for discussion
19:16:29 <GeKo> tjr: is that stuff mozilla would be interested in helping with/doing?
19:17:11 <GeKo> or would it be useful to mark those items?
19:17:53 <GeKo> because it might get us some cheap progress while working on the harder topics
19:18:23 <tjr> Probably not....
19:18:38 <GeKo> okay, fair enough
19:18:53 <tjr> While haik I bet would help POC the little thing; I think the larger things would probably fall to Ethan's team to either develop ot uplift if Tor wrote them.
19:19:11 <tjr> And I think there are enough 'Oh poop we need to work on this for the next ESR' topics to keep Ethan's team busy until then.
19:19:24 <GeKo> yep, agreed
19:19:29 <tjr> (Specifically: rust, extensions, fingerprinting uplift)
19:19:31 <sysrqb> Necko is still in the parent process, correcct?
19:19:50 <tjr> Necko is in the parent process for ESR 60; but for the next ESR it will be in it's own process *I think*.
19:20:07 <tjr> I'm not sure of it's roadmap, it might slip? Or might not be on all platforms? But it's being worked on currently.
19:20:07 <sysrqb> okay, that's promsing
19:20:07 <GeKo> hopefully, yes
19:20:20 <tjr> That said, I'm not sure how much that gets us in the short term.
19:20:35 <tjr> Windows, there's complicated disabling network access. Mac's content process is already restricted.
19:20:42 <tjr> Linux... I dunnoe.
19:20:51 <tjr> s/complicated/complications/
19:21:27 <sysrqb> right, only as much as exploiting necko directly is possible
19:22:02 <sysrqb> that would be one fewer components in the parent process
19:23:25 <sysrqb> so, it seems like we mostly agree the least-effort in this area is getting sandboxd tor browser working with Tor Browser 8/8.5, correct?
19:23:43 <sysrqb> plus improving the various UX issues
19:24:12 <GeKo> yes, def least effort
19:24:21 <sysrqb> on the other platforms, improving on the work Mozilla are doing in this area seems like the way we are going?
19:24:22 <GeKo> i like tom's general opinion of sandboxing
19:25:02 <GeKo> one of the tricky things we have to decide is how to allocate our constrained resources here
19:25:32 <sysrqb> yeah
19:25:36 <GeKo> (assuming we like it)
19:26:21 <ahf> 14
19:26:35 <GeKo> so, my idea for the hard parts of the sandboxing work (parent process sandboxing) was to write something up to get funding for it
19:26:45 <GeKo> and hire someone helping us here
19:26:50 <mcs> I also like tjr’s “general opinion of sandboxing.” It seems like it will add security in the medium term without requiring us to hire a new team of engineers (maybe).
19:27:08 <GeKo> especially now that we lost arthur and are busy finding someone else to replace him
19:27:27 <GeKo> but the things to do did not get less
19:27:48 <GeKo> mcs: yes.
19:28:42 <sysrqb> ~.~.
19:29:18 <GeKo> ?
19:29:37 <GeKo> (what's ~.~.?)
19:30:02 <tjr> Squinty Eyes I think :)
19:30:29 <sysrqb> err, me force-closing my ssh session :(
19:30:31 <sysrqb> bad network
19:30:43 <sysrqb> sorry
19:30:53 <GeKo> ah :)
19:31:10 <tjr> Something to note: jld (Jed) knows a lot about sandboxing on Linux and I believe will be at our metting. Gian-Carlos (gcp) also knows a lot there but has a conflict and will miss the meeting. So it might be worth finding and chatting with him after the meeting to get some targeted thoughts from him.
19:32:36 <sysrqb> okay, that sounds like a good plan
19:33:48 <sysrqb> for windows, based on the response above, i'm guessing mozilla aren't interesting in prioritising work on removing networking from the content process, correct?
19:34:22 <tjr> Well, I *think* one of the issues was we needed to move audio out... which is either in-progress or done?
19:35:09 <sysrqb> okay
19:35:19 <tjr> After that I don't know what else is left?  So I don't have enough information. At a minimum, you could easily get someone to give you a rough idea of how hard it would be and what needs to be done. And if it's not that difficult, they might even be able to give you a POC patch that someone (maybe I, maybe Ethan's team) could try to uplift
19:35:37 <tjr> So it's worth asking about for certain.
19:35:56 <sysrqb> yeah, that's what i was thinking, too
19:36:01 <GeKo> yeah, that sounds good
19:37:03 <GeKo> sysrqb: if we could have a good overview where we are here for all platforms and what next steps would be to get the remaining things tackled
19:37:23 <GeKo> that would help a great deal with allocating someone from the tor browser team to work on those
19:37:27 <sysrqb> if i can get a per-platform break-down of what's remaining (as far as Moz know), and how difficult each item is
19:37:36 <sysrqb> sorry, lag. agreed
19:37:42 <GeKo> :)
19:38:14 <sysrqb> and the sandboxing meeting is on wWed, so that'll give me some time on Weds afternoon and thurs for this
19:38:34 <sysrqb> and Friday
19:40:42 <sysrqb> the windows launcher from https://bugzilla.mozilla.org/show_bug.cgi?id=1481546 seems like  it's making progress, as well
19:41:09 <tjr> yes!
19:41:12 <sysrqb> i havent looked at the actual impl yet, though,  so i have no idea if it's very useful to us at this point
19:41:18 <tjr> I have hopes that we can abuse that in the future :)
19:41:35 <sysrqb> that would be nice :)
19:42:27 <sysrqb> ok, so i think i have two take-aways from this meeting
19:42:46 <sysrqb> 1) we should evaluate how difficult getting sandboxed tor browser running again
19:43:25 <sysrqb> 2) at the all hands, we should get  break-down on what vectors are remaining on each platform, and what ideas exist for closing them
19:43:45 <sysrqb> and then we can evaluate what resources we want to devote to any of them
19:44:19 <GeKo> i think it is pretty clear we should hire someone for the parent process sandbox work
19:44:48 <GeKo> so i would add 3) get together after all-hands to write a proposal for funders to shop around
19:44:51 <sysrqb> yes, that seems like a much larger project
19:45:11 <GeKo> that is probably including results from 1)
19:45:13 <sysrqb> especially because this would not be supported by Mozilla's work at this point
19:45:18 <GeKo> yes
19:45:43 <GeKo> i have some ideas for that proposal
19:46:02 <GeKo> like using the sandboxed tor browser as a stepping stone to think about work on other platforms as well
19:46:35 <GeKo> while on the same time experimenting with it and what it means to get such a thing into a proper "product"
19:46:41 <GeKo> (i hate that word)
19:47:09 <sysrqb> "user-friendly browser" :)
19:47:25 <GeKo> yeah, sounds easy, right?
19:47:44 * tjr pulls down Mythical Man Month
19:47:52 <tjr> How about "a Programming Systems Product"?
19:47:53 <GeKo> exactly
19:48:39 <tjr> i had one or two other things to throw out for discussion
19:48:44 <sysrqb> okay, anyone else have somethign they want to discuss in this meeting?
19:48:52 <sysrqb> ah, aokay, go for it
19:48:53 <tjr> Another thing I will take the opportunity to ask here: there are patches in-progress or stalled at Mozilla for security features. They tend to be hung up because of performance or (more rarely) 'I don't like this, we should refactor it'.  They probably wouldn't last past an ESR rebase.  Would there be interest in me trying to land those in Tor Browser?
19:48:53 <tjr> (Actually it occurs to me both the ones I'm thinking of is in jemalloc which is disabled on Windows :( )
19:49:41 <GeKo> yes, please :)
19:49:51 <tjr> ok :)
19:49:52 <tjr> And in addition to this, there's also Fuzzyfox. The next step for that I think is more people to use it and enable it on Nightly and see if seems usable. (I want to do some performance testing myself, just haven't found time.)
19:49:56 <GeKo> fwiw what's the jeamalloc situation?
19:50:27 <tjr> Ummmm I think the next step was for me to re-debug because my results were inconsistent last time and ask dmajor for feedback
19:50:50 <tjr> But it was so painful debugging it, and i had mingw-clang so close with it's beautiful debugging that i just.... kinda.... worked on other stuff
19:50:56 <GeKo> does the issue go away if we switched to mingw-w64/clang?
19:50:59 <tjr> Yes
19:51:16 <GeKo> okay, then don't spend time on that one i think
19:51:41 <tjr> kk
19:51:49 <GeKo> we would probably ship jeamalloc support in alphas first anyway
19:52:01 <GeKo> and plan to switch to  mingw-w64/clang there soon (TM)
19:52:36 <GeKo> but, yes, fuzzyfox would be neat as well
19:52:49 <GeKo> but i suspect that's a largish patch
19:52:55 <sysrqb> that "just" need a backport?
19:53:00 <tjr> It's not that big a backport actually
19:53:05 <GeKo> yeah, "just"
19:53:31 <tjr> the larger effort would definetly be a) performance and acceptance testing and b) determining what ecurity margin is approximately equivalent to tor's current one
19:53:50 <tjr> Although (b) might just be "Hey David, what should we make this?"
19:53:58 <GeKo> sounds like somethiing we could our alphas use fr
19:54:01 <GeKo> *for
19:54:13 <GeKo> maybe even on some plaforms first
19:54:34 <GeKo> tjr: i guess you could file a trac bug for that?
19:54:46 <tjr> sure
19:54:48 <GeKo> and we do the work there and discuss how to deploy it?
19:55:13 <tjr> will work on these next week!
19:55:22 <GeKo> awesome!
19:56:24 <sysrqb> anyone have anything else?
19:56:39 <GeKo> i am fine and excited
19:56:45 <sysrqb> with 2 min remaining :)
19:57:00 <tjr> call it. thanks everyone!
19:57:10 <sysrqb> thanks tjr, GeKo, mcs
19:57:32 * sysrqb is excited too
19:58:11 <GeKo> #endmeeting